UNIX file setuid sucurity hole?

robertd at ncoast.UUCP robertd at ncoast.UUCP
Thu Mar 12 12:17:42 AEST 1987


	
	It just accured to me that, 
thanks to the chown command and "setuid
to owner when executing this C program"
that no ones file is realy safe.

	I mean, couldn't someone who
knows C alot write a program that is
equivlent to "cat" that would display
another users secret file. Then simply
chmod the file to set to the owners ID
apon execution? Then chown it to the
owner. Then execute the command. Your
uid will be set to the owner , who owns
the file you wish to see.


	For instance, lets say there
is a file called "foo", and John Smith
owns the file. Now lets say that Peter
Jones wants to see the file but can't,
because he's not allowed.

	Now Peter can write a program
called "xyz" that displays John's file.
How ever, Peter still can't access it.
Now, lets say,that Peter sets the 
permision on his program so that any
one can access it, and the uid will be
set to owner(Peter). Now Peter then can
"chown" the command to John. The file
now belongs to John. Then Peter 
executes the file. Since the file
permisions says to change id to owner,
Peters Id will be changed to John's id
for the duration of the program. Now
Peter will BE ALLOWED to read Johns 
file.

	How can you protect against
this?

			[> Rd
-- 
[=====================================]
[             Rob DeMarco             ]
[ UUCP:decvax!cwruecmp!ncoast!robertd ]
[                                     ]
[ "bus error - passengers dumped"     ]
[=====================================]



More information about the Comp.unix.wizards mailing list